As promised at the XML Encryption workshop, here is a description of the
different types of algorithms along with what I would recommend for the
different levels of support. Let the discussion begin:
Stream Encryption Algorithms:
The most common stream encryption algorithm currently in use is RC4. I do
not see any reason to include a Stream Encryption algorithm in the suite of
algorithms included in the document. Most encryption that is used for store
and forward operations is block encryption.
Recomendation: No Stream Encryption Algorithms are selected for the
document.
Block Encryption Algorithms:
TripleDES - This is the current U.S. government standard algorithm. In
almost all instances the algorithm is run using 3 DES keys used in EDE
(encryption, decryption, encryption) sequence. Unless you are only
encrypting one block of data it almost always uses CBC chaining mode with
PKCS#5 padding.
AES - This is the proposed U.S. government standard algorithm based on the
Rijndael submission. Used as the AES algorithm it is fixed to a 128-bit
block size but still uses 128, 192 and 256-bit keys. As with TripleDES the
most common mode is CBC chaining with PKCS#5 padding.
Recomendation: AES is MUST in the same key lengths as CMS adopts. AES in
other key lengths and TripleDES are MAY.
Chaining Modes
CBC (Cipher block chaining) has the property that all subsequent blocks are
dependent on all previous blocks. This is currently the version of chaining
used in all CMS algorithms. It requires that a padding algorithm be used
(ususually PKCS#5) unless plain text is known to always occur in multiples
of the block size.
CTS (Cipher Text Stealing) has the property that the cipher text and plain
text are always the same length. Based on the main from Hal Finney this may
not be a desireable attribute for XML encryption.
Recomendation: Block encryption should be done using CBC and PKCS#5 padding.
Key Transport Algorithms:
RSA-v1.5 - This is the standard RSA algorithm used in CMS today. It has the
benifit of being widely used and the downside that there is a known attack
againist it.
RSA-OEAP - This is the revised RSA algorithm for doing key transport. The
same RSA public/private key pair can be used for both RSA-v1.5 and RSA-OEAP
so there is no need to choose just one of these variants.
Recommendation: RSA-OEAP should be used with AES. RSA-v1.5 should be used
with TripleDES.
Key Agreement Algorithms:
Key agreement algorithms consist of two different parts that need to be
specified. The first is how the shared secret value is compuated and the
second is how that shared secret is converted into a key.
Diffie-Hellman is the CMS defined key agreement algorithm. It should be
noted that several patent claims have been made againist improvements on the
base DH algorithm to prevent some known attacks. (The IETF S/MIME working
group has put out an informational document on these attacks.) There is no
need to differenentate between the Ephemeral-Static and Static-Static
variants in the XML Encryption standard as the same syntax and processing
can be used for both variants. (All that differs is how the Originator
KeyInfo is specified.)
The S/MIME working group has defined a method of getting a TripleDES key
from DH key agreement, however the same has not been defined for AES.
Recommendation: Unless there is a strong reason for putting in a Key
Agreement algorithm, no key agreement algorithm should be proposed.
Symmetric Key Wrap Algorithms:
The S/MIME working group has two different key wrap algorithms specified.
CMS-KeyWrap is used for wrapping Triple-DES and RC2 keys. The algorithm is
simple and has been implemented by several different groups of people. This
is the algorithm that is used for S/MIME ES-DH key agreement key wraping.
S/MIME-Password is an alternate that has been proposed for use when
encrypting a Triple-DES or RC2 key when the wrapping key is derived from a
password. There is currently no consensus in the working group that this
should be come a standard wrapping algorithm.
AES key wrap has been requested from the NSA by the S/MIME working group.
It is currently expected that we will recieve this by March 2001. In the
event that we don't get one in the working group we would most likely adapt
the CMS-KeyWrap algorithm for AES purposes.
Recommondation.: Make the AES keywrap from the NSA be the manditory when it
appears.
Password Derivation Algorithms:
There are several different password to key derivation algorithms available
for use. If a password key derivation algorithm is to be used, I would
expect it to be placed in the KeyInfo as a new Key Identifier rather than as
an EncryptionMethod algorithm.
Recommondation: Don't make any password derivation algorithms standard.
Other Algorithms:
Message Authentication - There was a desire at one point to do message
authentication as part of encryption. However it can easily be done as part
of the digital signature standard so one just needs to encrypt and sign the
object with a MAC.
Compression - The Workshop took a straw poll and determined that compression
would not be part of the XML Encryption standard.